In the epic war film “A Bridge Too Far,” a group of World War II GIs scramble to save the last bridge crossing over a river before the enemy blows it up.
If you’re a U.S. Department of Defense prime or sub-contractor, you may feel like you’re facing a similar mad dash, only in this case, to meet compliance with the Defense Federal Acquisition Regulation Supplement –A Bridge Too DFARS?
Ok, corniness aside, the DFARS 252.204.7008 requirement mandates the safeguarding of DoD contractor information systems through a set of defined NIST specifications—if you’re a nerd like me, the core requirement is in NIST SP 800-171 -section 3.5 IDENTIFICATION AND AUTHENTICATION.
The critical deadline of December 31, 2017 is fast approaching. Billions of dollars worth of new and existing contracts could be at risk for the non-conforming DoD contractor.
While DFARS has many moving parts—and what mandate doesn’t?—authentication and access control are good place to start. Stolen passwords are the easiest pathway for the would-be-bad actor to breach your organization. In fact, the desire to strengthen access controls were a major reason for the initiative’s birth.
For access control, DFARS requires contractors to comply with the NIST SP 800-171 and NIST SP 800-53. Boiling it all down, this essentially means you’ll need to go beyond passwords to protect your Covered Defense Information (CDI)—a range of people, processes and technologies—in your environment.
If this is still a little fuzzy for you, here are four pieces of advice I give when asked about DFARS and access controls. You may find this helpful no matter what point you are at in achieving compliance:
Find where your CDI lives. You’ll need to gain and understanding of location and criticality of your CDIs. A good starting point might be to look at the DFARS clause in your contract to see which people, systems, applications and technologies are called out. Once you gain an understanding of the universe involved here, you can see where you need to beef up your security.
Know what your users want and will accept. DFARS doesn’t have to slow down your users. In the quest to move beyond static passwords to something more in line with NIST Level 3, many organizations too often fall in the trap of thinking smartcards or two-factor tokens? In fact, there are an array of options now available that, when used individually or in combination with one another, can achieve Level 3. There are mobile and biometric, risk-based and contextual, even artificial intelligence are coming into view now. Bottom line: you can please the auditors and delight your users.
Prepare to be in compliance all the time. Part of the DFARS requirement states that “systems must be in compliance all the time.” While this overly broad statement may have been more directly intended to apply to your patch and vulnerability management, a broader telling of the story says that rolling back to static passwords – even during a business continuity/disaster recovery event – might not be palatable to the auditors. Better not risk it. Get an authentication solution resilient enough to stand up to down time, and flexible enough to offer on-demand options to the user who forget his phone at home or lost a token.
Report Your Cyber Incidents. DFARS requires the reporting of cyber incidents back to the DoD. One of the first places to start any cyber investigation is in the logs, specifically your authentication logs. These can prove invaluable for figuring out who accessed what, when and how. Making sure you have a solution that covers all of your applications: cloud, mobile, web and legacy system is key to meeting this reporting requirement.
As you race toward your own metaphorical DFARS bridge, remember that you have options when it comes to your authentication system. Don’t get locked into a two-factor mentality and remember, doing this right can have additional benefits of maintaining a high degree of compliance, being at the ready in a cyber incident, and ultimately, winning you those hard earned contracts.